I ran this traffic by a local sensor running Snort 2.3.3 on FreeBSD 5.4 and it continued to function. There was no DoS or exploit. RD's exploit as written targets Linux. His demo exploits a 2.6 kernel:

"There is nothing wrong with looking for vulnerabilities in your competitor's products, and Neel Mehta has built enough of a rep for himself that he doesn't need to take 'marching orders' from anybody."

I agree there is nothing wrong with looking for vulnerabilities in your competitor's products. However, are we supposed to believe that Neel Mehta, an ISS X-Force researcher, developed this exploit on his own? Are we supposed to think he did not do this at the direction of his employer, who published an advisory? If Neel discovered this vulnerability on his own, and not while working for ISS, why did Sourcefire learn of the vulnerability from US-CERT and not Neel himself?

4 comments:

Anonymous
said...

Richard, With all this news about the BO vulnerability in Snort, perhaps you can update your blog with a few words on how you configure the passive network daemons on your sensors. Specifically, with regards to privilege seperation and chroot jails etc. I don't think you touched on this much in your book, although I can't check now as I don't have my copy with me.

I've been using Tethereal on FreeBSD to do full content collection in ring buffer mode and I'm trying to figure out how to get it to run without elevated privileges (make /dev/bpf world readable?). My experience here is rather limited. A few thoughts on this subject would be great.

Yes, I know 2.3.3 is not reported to be vulnerable. I was just stating what happened to my system for the sake of complete reporting. I figured I would demonstrate Kyle's tool as it had not been done elsewhere.